Solaris-Zones: Linux IT Marbles Get a New Bag

Solaris-Zones provides the ability to run Linux and Solaris on the same machine without all the overhead of full virtualization.

Seldom is a data center asked to do less. More often, it's asked to do
more with less—fewer computers and less power consumption. One significant
industry discussion for the past few years has been regarding a reduction in
the number of physical servers and an increase in the application-to-server ratio to maximize server utilization.
Often, this increase is done via virtualization.

At Texas Instruments (TI), we have numerous data centers and design environments that
thrive on the use of Linux and Solaris. Typically, each OS is installed
on individual systems stacked high and aligned in rows throughout the
data center. Linux applications run on Linux;
Solaris applications run on Solaris.

Recently, a new virtualization solution
has emerged that enables IT professionals to combine Linux and Solaris together
within one physical environment. This solution reduces the number of
physical systems in the computer environment and increases server work
with greater efficiency.

One of the Solaris virtualization environments is called
Solaris-Zones (also known as Solaris-Containers).
Through the development of Open-Solaris, Solaris-Zones has been expanded
to support zone branding. Solaris-Zones now enables the creation of
“lx” branded zones. The lx branded zone supports the installation and
execution of the Linux OS and its applications. When lx branded
zones are used in conjunction with the ZFS (Zeta-byte File System),
Linux environments are able to do more, faster.

Linux always has been about technical developers and enthusiasts doing
whatever moves them. The security of Solaris-Zones combined with the
power of Linux opens a huge new frontier of development freedom—from
the enterprise environment to the single desktop. With Solaris-Zones,
it's easy to define, create, install and execute Linux (lx) branded zones.

This article introduces lx branded zones and presents the necessary tools
for each step of the zone management process. Readers should have some understanding
of a chroot environment and
the basic concepts of virtual machines (VMs) and the features they provide.
Knowledge of these concepts is not required, but it will help
in conveying what a zone is and create a better platform for understanding.

Zones Simplified

So, what is a zone? A zone provides security and virtualization in a unique
way. The Solaris-Zone has its own filesystem with a root directory,
system files and so on, like that of the primary environment of the physical
system. The private root filesystem, one per zone, gives it the ability
to be fully configurable and flexible. A zone provides nearly the same
experience as the main OS. In this regard, it is like a VM without the VM
hardware emulation layer.

The zone is provided with an operating environment
but without a private dedicated kernel. The lack of a dedicated kernel is a huge
performance enhancement—when you experience the boot process, you will see how
fast it is compared to a normal boot. User and administrator experience
within the zone is very similar to that of a full VM in flexibility, but
like a chroot environment, it sheds the overhead of a full VM.

It is important to understand that a zone is not a full virtual machine
in the sense that you would see with Xen or VMware or VirtualBox.
A zone is an emulation layer, more akin to Wine perhaps, but at a more fundamental level.
This, for example, means that an lx branded zone does not contain its own
Linux kernel;
rather, the kernel calls are redirected by the zone's emulation layer to the underlying Solaris kernel.

The zone provides security through isolation. Each zone has its own root
account and password. The superuser within
a zone has no special privileges to gain access to objects outside the
zone. No account has rights to exit the zone or examine processes and
files outside the zone. Advanced resource management is enabled
when control of memory and CPU resources by zone is important. Resource
management keeps zones from being harmed by others, including but not limited
to CPU and memory starvation.

Note: the primary Solaris OS and the physical platform on which it executes are
also known as a zone. It is defined as the global zone and continues
to look and feel as it always has. All other zones
are created from the global zone. Created zones are called sub or
non-global zones. Non-global zones cannot create zones within themselves. Figure 1 illustrates
the relationship between the global zone,
non-global zones and possible VMs.